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ABSTRACT 

An  adversary  looking  to  disrupt  a  power  grid  may  look 
to  target  certain  substations  and  sources  of  power  genera¬ 
tion  to  initiate  a  cascading  failure  that  maximizes  the  num¬ 
ber  of  customers  without  electricity.  This  is  particularly 
an  important  concern  when  the  enemy  has  the  capability 
to  launch  cyber-attacks  as  practical  concerns  (i.e.  avoid¬ 
ing  disruption  of  service,  presence  of  legacy  systems,  etc.) 
may  hinder  security.  Hence,  a  defender  can  harden  the  se¬ 
curity  posture  at  certain  power  stations  but  may  lack  the 
time  and  resources  to  do  this  for  the  entire  power  grid.  We 
model  a  power  grid  as  a  graph  and  introdnce  the  cascad¬ 
ing  failnre  game  in  which  both  the  defender  and  attacker 
choose  a  subset  of  power  stations  such  as  to  minimize  (max¬ 
imize)  the  number  of  consumers  having  access  to  producers 
of  power.  We  formalize  problems  for  identifying  both  mixed 
and  deterministic  strategies  for  both  players,  prove  com¬ 
plexity  results  under  a  variety  of  different  scenarios,  iden¬ 
tify  tractable  cases,  and  develop  algorithms  for  these  prob¬ 
lems.  We  also  perform  an  experimental  evaluation  of  the 
model  and  game  on  a  real-world  power  grid  network.  Em¬ 
pirically,  we  noted  that  the  game  favors  the  attacker  as  he 
benefits  more  from  increased  resources  than  the  defender. 
Further,  the  minimax  defense  produces  roughly  the  same 
expected  payoff  as  an  easy-to-compute  deterministic  load 
based  (DLB)  defense  when  played  against  a  minimax  attack 
strategy.  However,  DLB  performs  more  poorly  than  mini¬ 
max  defense  when  faced  with  the  attacker’s  best  response  to 
DLB.  This  is  likely  due  to  the  presence  of  low-load  yet  high- 
payoff  nodes,  which  we  also  found  in  our  empirical  analysis. 
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1.  INTRODUCTION 

Rapid  cascading  failure  in  a  power  grid  caused  by  a  suc¬ 
cession  of  overloading  lines  can  lead  to  very  large  outages, 
as  observed  in  the  United  States  in  2003  [1].  Studies  on  cas¬ 
cading  failure  [7,  8,  16]  have  illustrated  that  such  a  failure 
can  be  initiated  with  only  a  small  number  of  initial  node  fail¬ 
ures.  Further,  power  grid  infrastructure  is  often  particularly 
vulnerable  with  respect  to  cyber-security  due  to  a  variety  of 
issues,  including  the  use  of  legacy  and  proprietary  computer 
hardware  and  software  [26]. 

In  this  paper,  we  extend  the  work  on  cascading  failure 
models  to  a  two-player  game  where  an  attacker  attempts  to 
create  a  cascade  that  maximizes  the  number  of  customers 
without  power  while  the  defender  defends  key  nodes  to  avoid 
a  major  outage.  In  Section  2,  we  introduce  an  extension  to 
the  failure  model  of  [8]  to  not  only  consider  the  attacker  and 
defender,  but  also  the  different  types  of  nodes  in  the  power 
grid  (i.e.  power  generation  vs.  power  consumers).  In  Sec¬ 
tion  3,  we  explore  the  computational  complexity  of  finding 
deterministic  best-response  strategies  for  the  attacker  and 
defender  under  several  different  scenarios  depending  on  the 
relative  number  of  resources  each  player  has  and  whether 
the  opponent  has  a  deterministic  or  mixed  strategy.  Here  we 
found  that,  in  general,  these  problems  are  NP-hard,  though 
we  do  identify  some  tractable  cases.  In  Section  4,  we  ex¬ 
plore  heuristic  algorithms  for  finding  determinsitic  “best  re¬ 
sponses”  as  well  as  minimax  mixed  strategies.  We  introduce 
a  “high-load”  strategy  for  defense  (based  on  the  observa¬ 
tions  of  [8]),  greedy  heuristics  for  deterministic  strategies, 
and  a  double-oracle  approach  based  on  [15]  for  finding  a 
mixed  strategy.  In  Section  5  we  perform  experiments  on  a 
real-world  dataset  of  a  power  grid  [20]  and  find  that  this 
game  seems  to  favor  the  attacker  as  he  benefits  more  from 
increased  resources  than  the  defender.  Further,  our  experi¬ 
ments  revealed  that  the  minimax  defense  produces  roughly 
the  same  expected  payoff  as  an  easy-to-compute  determin¬ 
istic  load  based  (DLB)  defense  when  played  against  a  min¬ 
imax  attack  strategy,  though  the  load  based  defense  does 
more  poorly  than  minimax  when  faced  with  the  attacker’s 
best  response  to  DLB.  This  is  likely  due  to  the  presence 
of  low-load  yet  high-payoff  nodes,  which  we  also  found  in 
our  empirical  analysis  of  the  model.  Finally,  related  work  is 
discussed  in  Section  6. 
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2.  TECHNICAL  PRELIMINARIES 

Consider  a  power-grid  network  modeled  as  an  undirected 
graph  G  =  (V,  E).  Let  Vid  C  y  be  source  (producers  of 
power)  and  load  (consumers  of  power)  on  the  network.  We 
shall  use  the  notation  discvi^.Vs^c  (G)  to  denote  the  number 
of  nodes  in  Vid  which  are  not  connected  to  any  node  in  Varc 
in  graph  G.  Let  G  be  the  set  of  all  subgraphs  of  G.  For 
a  given  node  i,  let  Naij)  be  the  set  of  nodes  in  Varc  —  {*} 
that  are  closest  to  that  node  (based  on  path  length  in  G). 
From  this,  we  define  edge  load  (similar  to  the  idea  of  edge 
betweenness  [25]). 


Definition  2.1  (Edge  Load).  Given  edgeij  e  E,  the 
edge  load,  loadaiij)  is  defined  as  follows: 


loadaiij)  =  E  E 

^^Vid  seMcCt) 


acisfilij) 
|AfG(t)|  a-G{s,t)' 


where  00(3,  t)  is  the  number  of  shortest  paths  between  s,t  G 
V  and  aGis,t\ij)  is  the  subset  of  these  paths  that  pass  through 
edge  ij  £  E. 


Starting  from  initial  network  Go  =  {Vo,Eq)  we  use  dj  to 
denote  the  capacity  edge  ij  £  Eq.  In  a  real-world  setting, 
we  would  expect  to  have  this  information.  However,  in  this 
paper,  we  use  the  following  proxy  (similar  to  [8]). 

Cij{Go)  =  (1  +  a)loadGo{ij) 

where  a  is  a  non-negative  real  that  specifies  the  excess  ca¬ 
pacity  available  on  that  line.  We  shall  refer  to  a  as  the 
capaeity  margin.  We  assume  that  an  edge  ij  £  E  fails  in 
G  =  {V,E),  with  E  C  Eg,  if  loadG{ij)  >  Cij(Go).  Once 
nodes  (and  adjacent  edges)  in  Vo  are  removed  from  Go,  this 
results  in  a  change  of  shortest  paths  between  sources  and 
loads,  hence  more  edges  will  potentially  fail.  This  cascading 
power  failure  is  modeled  by  a  “failure”  operator  denoted  with 
F  (based  on  the  failure  model  of  [8]  -  though  we  note  that 
our  model  is  a  new  contribution  due  to  the  consideration  of 
source  and  load  nodes)  that  maps  networks  to  networks.  We 
define  it  as  follows. 


Definition  2.2  (Failure  Operator).  The  failure  op¬ 
erator,  F  :  G  — >  G,  is  defined  as  follows: 

F{{V,E))  =  {V,{ij  £  E\load^v,E){ij)  <  cu(Go)}) 

Intuitively,  one  application  of  the  failure  operator  removes 
all  edges  that  have  exceeded  their  maximum  capacity.  We 
can  define  multiple  applications  of  this  operator  as  follows: 


r(G) 


G  if  i  =  0 

F(F‘-i(G))  otherwise 


attacker  is  unable  to  destroy  them  -  though  these  nodes  can 
be  taken  offline  as  a  result  of  the  cascading  failure^ .  The  at¬ 
tacker  can  destroy  ka  nodes  while  the  defender  can  harden 
kd  nodes.  Thus  the  strategy  space  of  both  the  attacker  and 
defender  consists  of  all  subsets  Va,Vd  ^  V  of  size  \  Va\  <  ka 
{\Vd\  <  kd  respectively).  We  denote  these  strategy  spaces 
by  ATK  {DEE  respectively),  i.e.,  if  we  allow  the  attacker 
to  consider  all  strategies  of  size  ka  or  less  we  have: 

ATK  =  {S  £2^  ■.  [S']  <  ka} 

We  now  have  all  of  the  components  to  define  the  payoff 
function. 

Definition  2.3  (Payoff  Function).  Given  initial  net¬ 
work  G  =  {V,  E)  with  edge  eapacities  Cij{G),  attaek  (defend) 
strategy  Va{Vd),  the  payoff  function  is  defined  by 

PG{Va,Vd)  =  c//scv,^,v_(F*((I/  -  (Va  -  Vd) ,  E)) . 

Now,  in  reality,  the  defender  will  have  real-world  limi¬ 
tations  on  the  number  of  nodes  (i.e.  substations)  he  may 
harden.  For  instance,  with  regard  to  smart  grid  defense,  ap¬ 
plying  the  most  up-to-date  patches  on  all  systems  may  not 
be  realistic  as  it  could  potentially  require  system  down-time  - 
affecting  customer  service.  Further,  it  would  also  likely  not 
make  sense  for  the  defender  to  only  harden  certain  nodes 
and  ignore  others.  Hence,  it  is  reasonable  to  consider  a  sit¬ 
uation  where  the  defender  can  only  harden  certain  nodes 
against  attack  (and  may  do  so  probabilistically  -  i.e.  ap¬ 
plying  hardware  or  software  updates  according  to  a  sched¬ 
ule).  Therefore,  we  study  mixed  strategies.  Such  strate¬ 
gies  will  be  specified  by  probability  distributions  Pra,Prd 
for  the  attacker  and  defender  respectively.  We  shall  denote 
the  number  of  strategies  assigned  a  non-zero  probability  as 
jPraj,  jPrdj-  We  can  define  expected  payoff  as  follows. 

Definition  2.4  (Expected  Payoff).  LetPra,Prdbe 
probability  distributions  over  all  subsets  of  V  of  sizes  ka 
(resp.  kd)  or  less.  These  probability  distributions  correspond 
to  a  mixed  strategy  for  the  attacker  and  defender  respectively. 
Hence,  given  such  probability  distributions,  the  expected  pay¬ 
off  can  be  computed  as  follows: 

ExP{Pra,Prd)=  Y,  Pra{Va)  Y  Prd{Vd)pG{Va,Vd) 

In  this  work  our  goal  is  to  find  the  minimax  strategy  for 
the  defender  -  that  is  the  mixed  strategy  for  the  defender 
that  minimizes  the  attacker’s  maximum  expected  payoff  - 
as  well  as  deterministic  “best  responses”  for  both  players 
given  the  other’s  strategy. 


Clearly,  there  must  exist  a  fixed  point  that  is  reached  in 
no  more  than  [Ej  -|-  1  applications  of  F.  Hence,  we  shall  use 
the  following  notation: 

F*(G)  =  F*(G)  s.t.  F\G)  =  F*+^(G) 

We  now  consider  two  agents:  an  attacker  and  a  defender. 
The  attacker’s  strategy  is  to  destroy  nodes  (and  their  ad¬ 
jacent  edges)  in  an  effort  to  cause  a  cascading  failure  that 
maximizes  the  number  of  load  nodes  {Vid)  that  are  discon¬ 
nected  from  all  source  nodes  (I4rc).  Meanwhile,  the  de¬ 
fender’s  strategy  is  to  harden  certain  nodes  such  that  the 


3.  COMPUTATIONAL  COMPLEXITY 

In  this  section,  we  analyze  the  computational  complexity 
of  determining  the  best  response  for  each  of  the  agents  to 
a  strategy  of  its  opponent.  First,  we  shall  discuss  the  case 
for  finding  a  deterministic  strategy  for  the  defender  and  at¬ 
tacker.  Then  we  shall  explore  the  computational  complexity 
of  finding  a  mixed  strategy.  We  summarize  our  complexity 
results  in  Table  3. 

^Note  that  this  would  likely  be  the  case  where  the  attack 
and  defense  occurs  in  cyber-space,  while  the  cascade  occurs 
in  the  physical  world. 
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Opponent  Strategy 

Attacker 

Defender 

Mixed  w.  1  resource 

NP-Gompl. 
Thm.  3 

PTIME 
Prop.  3.2 

Det.  w.  fewer  resources 

NP-Gompl. 
Thm.  3 

PTIME 
Prop.  3.1 

Det.  w.  greater  resources 

NP-Gompl. 
Thm.  3 

NP-Gompl. 
Thm.  1 

Mixed  w.  fewer  resources 

NP-Gompl. 
Thm.  3 

NP-Gompl. 
Thm.  2 

Mixed  w.  greater  resources 

NP-Gompl. 
Thm.  3 

NP-Gompl. 
Thm.  1 

Table  1:  Complexity  Results  for  Finding  a  Deter¬ 
ministic  Best  Response 

We  frame  the  formal  combinatorial  problem  of  finding  the 
best-response  for  the  defender  as  follows: 

Grid-Defend  Deterministic  Best  Response  (GD-DBR) 

INPUT:  Network  G  =  {V,E),  attacker  mixed  strategy  Pra 
(where  each  option  is  of  size  no  greater  than  ka),  natural 
number  kd,  real  numbers  X,  a 

OUTPUT:  “Yes”  if  there  exists  a  set  14  C  U  s.t.  \Vd\  <  kd 
and  Ylva&ATK  Pi’a(14)PG(Pa,  14)  <  X  and  “no”  otherwise. 

We  shall  study  this  case  under  several  conditions.  The 
first,  and  easiest  case  is  when  Pra  =  1  (the  attacker  uses  a 
deterministic  strategy)  and  ka  <  kd- 

Proposition  3.1.  When  ka  <  kd  and  \Pra\  =  1  then 
GD-DBR  is  solvable  in  polynomial  time. 

Proof.  As  the  attacker  plays  only  one  strategy  and  the 
defender  can  defend  at  least  as  many  nodes  as  are  being 
attacked,  the  defender  simply  defends  all  the  nodes  in  the 
attacker’s  strategy.  □ 

However,  even  with  |Pra|  =  1,  the  problem  becomes  NP- 
hard  in  the  case  where  ka  >  kd- 

Theorem  1.  When  ka  >  kd  then  GD-DBR  is  NP-complete, 
even  when  \Pra\  =  1  and  X  is  an  integer. 

Proof.  Clearly,  checking  if  a  given  deterministic  defender 
strategy  14  meets  the  requirements  of  the  “output”  of  GD- 
DBR  can  be  completed  in  polynomial-time,  providing  mem¬ 
bership  in  the  class  NP. 

For  NP-hardness  consider  the  known  NP-hard  “set  cover” 
problem  [11]  that  takes  as  input  a  natural  number  k,  set 
of  elements  S  =  {si, . . . ,  s„},  family  of  subsets  of  S',  R  = 
{hi , . . . ,  hm}  and  returns  “yes”  if  there  is  a  fc-sized  (or  smaller) 
subset  of  H  s.t.  their  union  is  equal  to  S.  We  can  embed 
Set  Cover  into  an  instance  of  GD-DBR  in  polynomial  time 
with  the  following  embedding:  set  ka  =  \H\,  kd  =  k,  X  =  0, 
a  =  \H\  +  jSj,  create  G  =  (U,  E)  as  follows: 

•  For  each  h  &  H  create  a  node  and  for  each  s  S  S  create 
node  Vs 

•  If  s  £  h,  create  edge  (u^,  Vs),  for  each  ij  £  E 

.  Set  =  {Vh\h  £  H},  Vid  =  £  5},  Ua  =  U  -  Vu 

Suppose,  by  way  of  contradiction  (BWOC),  that  there  is 
a  “yes”  answer  to  Set  Cover  but  a  “no”  answer  to  GD-DBR. 
Consider  set  H'  a  subset  of  H  that  is  the  certificate  for  Set 
Cover  and  the  corresponding  set  V'  =  {vh\h  £  H'}  in  the 


instance  of  GD-DBR.  Suppose  the  defender  utilizes  this  as 
a  strategy.  The  attacker  then  effectively  attacks  the  set  V  — 
Vid  —  V.  Note  that  as  the  graph  is  bi-bipartite,  this  does  not 
cause  any  cascading  failure.  By  the  construction,  each  load 
node  must  be  connected  to  a  source  node,  hence  the  number 
of  offline  load  nodes  is  X.  This  gives  us  a  contradiction. 

Suppose,  BWOC,  that  there  is  a  “yes”  answer  to  GD-DBR 
but  a  “no”  answer  to  the  corresponding  instance  of  Set  Cover. 
Let  V'  be  the  certificate  for  GD-DBR.  We  note  that  any  el¬ 
ement  of  Vid  n  V  in  V'  can  be  replaced  by  a  neighboring 
node  from  Vsrc  without  changing  the  size  of  this  set  and  that 
such  a  set  would  still  allow  for  all  load  nodes  to  remain  on¬ 
line,  let  V"  be  this  new  set.  Consider  the  set  {h\vh  £  V"}. 
By  the  contra-positive  of  the  claim,  this  cannot  be  a  cover 
of  all  elements  of  S.  However,  this  would  also  imply  that 
there  is  some  element  Vs  £  Vid  that  is  not  connected  to  V” 
meaning  that  it  fails  (as  the  attacker  successfully  destroys 
all  its  neighbors).  This  means  that  the  adversary  has  a  pay¬ 
off  greater  than  0  (which  is  what  X  was  set  to)  -  hence  a 
contradiction.  □ 

Hence,  the  presence  of  a  more  advantageous  attacker  is 
a  source  of  complexity.  The  next  question  would  be  if  the 
attacker’s  behavior,  i.e.  deterministic  vs.  non-deterministic, 
also  affects  the  complexity  of  the  problem,  even  if  the  de¬ 
fender  has  the  advantage.  First,  let  us  examine  the  case 
where  the  attacker  has  a  mixed  strategy  with  fca  =  1. 

Proposition  3.2.  When  ka  =  1  then  GD-DBR  is  solv¬ 
able  in  polynomial  time  (w.r.t.  \Pra\),  even  when  |Pra|  >  0. 

Proof.  In  this  case,  we  can  re-write  the  payoff  function 
as  PG{{v},Vd)  =  0  if  u  £  14  and  pg({w},14)  =  pg({u},0) 
otherwise.  Let  V'  =  U{Va  £  ArA'|Pra(14)  >  0}.  Note 
that  each  element  of  V'  is  also  a  strategy  the  attacker  plays 
with  a  non-zero  probability  (as  the  attacker  only  plays  sin¬ 
gletons).  Hence,  the  expected  payoff  can  be  re-written  as 
Pra({u})j3G({w},  0).  Therefore,  the  best  a  de¬ 
fender  can  do  is  defend  the  top  kd  nodes  in  V'  where 
Pra({w})pG({u},  0)  is  the  greatest  -  which  can  be  easily  com¬ 
puted  in  polynomial  time  and  allows  us  to  determine  the 
answer  to  GD-DBR.  □ 

However,  if  the  defender  is  playing  a  mixed  strategy  with 
fca  >  1,  then  the  problem  again  becomes  NP-complete. 

Theorem  2.  When  \Pra\  >  1  and  ka  >  1,  GD-DBR  is 
NP-complete,  even  when  kd  >  ka  and  X  is  an  integer. 

Proof.  NP-completeness  mirrors  that  of  Theorem  1.  For 
NP-hardness,  we  again  consider  a  reduction  from  set-cover 
(defined  in  the  proof  of  Theorem  1.  The  embedding  can 
again  be  performed  in  polynomial  time  as  follows:  set  ka  = 
maxsgs|{h|s  £  h}\,  set  kd  =  k,  X  =  0,  a  =  \H\  -f  [S'], 
create  G  =  {V,E),  Vsrc,  and  Vid  as  per  the  construction  in 
Theorem  1.  We  then  set  up  the  mixed  strategy  as  follows: 
for  each  s  €  S,  let  14*  =  {hjs  £  h}  and  Pra(14“)  =  VI'S'l- 

Suppose,  BWOG,  that  there  is  a  “yes”  answer  to  set  cover 
and  a  “no”  answer  to  the  instance  of  GD-DBR.  Gonsider 
set  cover  solution  H*  and  set  14  =  {vh\h  £  H*}.  Note 
that  14  meets  the  cardinality  requirement.  Note  that  by 
the  construction,  a  source  node  becomes  disconnected  only 
if  all  of  the  load  nodes  connected  to  it  are  attacked,  hence 
there  is  some  node  in  the  set  Vid  that  is  totally  disconnected 
under  at  least  one  attacker  strategy  -  let  Vs  be  this  node. 
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However,  as  set  H*  covers  S,  then  regardless  of  the  attacker 
strategy,  there  is  always  some  node  Vh  that  is  connected  and 
never  attacked  (giving  the  attacker  a  payoff  of  zero)  -  hence 
a  contradiction. 

Suppose,  BWOC,  that  there  is  a  “yes”  answer  to  GD-DBR 
and  a  “no”  answer  to  the  instance  of  set  cover.  Consider  GD- 
DBR  solution  V' .  We  note  that  any  element  of  Vid  H  V'  in 
V'  can  be  replaced  by  a  neighboring  node  from  Varc.  without 
changing  the  size  of  this  set  and  that  such  a  set  would  still 
allow  for  all  load  nodes  to  remain  online,  let  V"  be  this 
new  set.  Consider  the  set  H*  —  {h\vh  £  V'}.  Note  that 
\H*\  <  k.  By  the  contra-positive,  there  must  be  at  least 
one  element  of  S  not  covered  by  H* .  Let  node  Vs  be  a  node 
associated  with  uncovered  element  s.  As  GD-DBR  returned 
“yes”  then  there  is  no  attacker  strategy  where  Vs  becomes 
disconnected  from  some  node  in  Vsrc-  As  attack  strategy 
Va  includes  all  nodes  that  are  connected  to  Vs,  then  at  least 
one  of  these  nodes  must  be  included  in  V" .  Therefore,  for 
every  node  Vs  G  Vid  there  is  some  node  vh  £  Vid  n  V”  that  is 
connected  to  it,  which  means,  by  the  construction,  that  H* 
must  cover  all  elements  of  S  -  a.  contradiction.  □ 

We  now  frame  the  formal  problem  for  finding  a  determin¬ 
istic  best-response  for  the  attacker  below. 

Grid- Attack  Deterministic  Best  Response  (GA-DBR) 

INPUT:  Network  G  =  {V,E),  defender  mixed  strategy  Pr^ 
(where  each  option  is  of  size  no  greater  than  kd),  natural 
number  ka,  real  numbers  X,  a 

OUTPUT:  “Yes”  if  there  exists  a  set  14  C  U  s.t.  |I4|  <  ka 
and  Y^VdeDEF  Prd(Vd)pG(V'a,  14)  >  X  and  “no”  otherwise. 

In  the  case  of  fca  =  1,  this  problem  is  solvable  in  poly¬ 
nomial  time:  simply  consider  each  v  G  V.  The  attacker 
computes  J2vaeDEF^^d{Vd)pG{{v},Vd)  until  one  is  found 
that  causes  the  payoff  to  exceed  or  be  equal  to  X.  However, 
for  strategies  of  larger  size,  the  problem  becomes  NP-hard, 
regardless  of  the  size  of  the  defender  strategy. 

Fact  3.1.  When  ka  =  1,  GA-DBR  is  solvable  in  polyno¬ 
mial  time  (w.r.t.  \Prd\). 

Theorem  3.  GA-DBR  is  NP-complete. 

Proof.  Clearly,  a  certificate  consisting  of  a  set  Va  C  V 
can  be  verified  in  polynomial  time,  giving  us  membership  in 
NP.  For  NP-hardness  consider  the  known  NP-hard  “vertex 
cover”  problem  [11]  that  takes  as  input  a  graph  G'  =  {V' ,  E') 
(with  no  self-loops)  and  natural  number  k  and  returns  “yes” 
iff  there  is  a  set  of  k  or  fewer  vertices  that  are  adjacent 
to  each  edge  in  E.  We  can  embed  vertex  cover  into  an 
instance  of  GD-DBR  in  polynomial  time  with  the  following 
embedding:  set  ka  =  k,  kd  =  Q,  Vd  =  %,  X  =  \V'\,  a  =  \E\, 
G  =  G',  and  Vsra  =  Vm  =  U'. 

Suppose,  BWOC,  the  above  problem  instance  provides  a 
“yes”  answer  to  the  vertex  cover  problem  but  a  “no”  answer 
to  GA-DBR.  Let  V"  be  a  vertex  cover  of  size  k  or  less  for  G' . 
Consider  the  corresponding  set  of  vertices  in  G  (we  shall  call 
this  V*).  Note  that  |U*|  <  ka-  As  an  attacker  attacking  V* 
disconnects  those  nodes  from  the  network,  all  edges  adjacent 
to  V*  fall.  As  V*  is  a  vertex  cover  for  G,  this  means  that 
there  are  no  edges  in  the  graph  once  V*  is  removed.  Hence, 
no  load  node  is  connected  to  any  source  node  -  giving  the 
attacker  a  payoff  of  at  least  X  -  hence  a  contradiction. 


Suppose,  BWOC,  the  above  problem  instance  provides  a 
“yes”  answer  to  GA-DBR  but  a  “no”  answer  to  the  vertex 
cover  problem.  Let  14  be  the  set  of  nodes  the  attacker  at¬ 
tacks  in  GA-DBR.  As  a  =  \E\  and  as  I4rc  =  V ,  nodes  only 
fail  in  a  cascade  if  they  are  either  targeted  by  the  attacker 
or  become  totally  disconnected.  Further,  as  X  =  jUj,  all 
nodes  in  G  are  either  in  14  or  disconnected  -  meaning  that 
14  must  be  a  vertex  cover  of  size  ka  or  less.  As  ka  =  k  we 
have  a  contradiction.  □ 

Due  to  the  use  of  covering  problems  for  the  complexity 
results  in  Theorems  1,2,  and  3,  it  may  seem  reasonable  to 
frame  the  problem  as  a  sub-  or  super-  modularity  optimiza¬ 
tion  where  the  objective  function  is  monotonic.  However, 
here  we  show  (unfortunately)  that  these  properties  do  not 
hold  for  either  player.  First,  we  shall  make  statements  re¬ 
garding  the  monotonicity  of  the  payoff  function. 

Proposition  3.3.  /#VU;,  K  c  K'.-  pg(K,  KT)  <  pg(V;',  u;) 
then  VU;,  Vd  C  U,';  pg(K*,  Ud)  >  Pg(U„*,  Ui)- 

The  idea  of  submodularity  can  be  thought  of  as  “dimin¬ 
ishing  returns.”  Given  a  set  of  elements  S  and  a  function 
/  :  2®  K+,  we  say  a  f  is  submodular  if  for  any  sets 

Si  C  S2  and  element  s  ^  S2,  we  have  the  following  relation¬ 
ship: 

/(Si  U  {s})  -  F(Si)  >  /(S2  U  {s})  -  E{S2) 

A  complementary  idea  of  supermodularity  is  also  often 
studied  -  in  this  case  the  inequality  is  reversed.  Unfortu¬ 
nately,  when  we  fix  the  strategy  for  the  defender,  the  at¬ 
tacker  strategy  is  neither  submodular  nor  supermodular  - 
making  the  dynamics  of  this  model  significantly  different 
from  others  (i.e.  [24]).  Let  consider  strategies  14,14  where 
14  causes  some  load  node  v  ^  (14  U  14)  Pi  Vu  to  disconnect 
and  any  node  the  strategy  {u}  causes  to  disconnect  will  also 
become  disconnected  with  strategy  14  (such  a  case  is  easy  to 
contrive,  particularly  with  a  bi-partite  network).  Therefore, 
we  get  the  following  relationship: 

PG{Va  U  {u},  Vd)  -  PGiVa,  Vd)  <  Pg{{v},  Vd)  -  pg{%,  Vd) 

This  arises  from  the  fact  that  the  left-hand  side  of  the  above 
equation  becomes  zero  and  the  right  hand  side  of  the  equa¬ 
tion  is  equal  to  J5g({u},  14)  which  must  be  at  least  one.  Now 
consider  another  example.  Suppose  we  have  a  simple  V- 
shaped  network  of  three  nodes.  The  angle  of  the  V  is  a  load 
node,  while  the  other  two  nodes  are  source  nodes.  With 
a  =  1,  the  load  node  receives  power  if  at  least  one  of  the 
source  nodes  is  connected  to  it.  However,  it  does  not  require 
both.  Let  14  be  a  strategy  consisting  of  one  source  node  and 
V  be  the  other  source  node,  and  14  consist  of  the  load  node. 

From  this,  we  have  the  following  relationship: 

PG{Va  U  {u},  Vd)  -  PGiVa,  Vd)  >  pg{{v},  Vd)  -  PGi%,  Vd) 

In  this  case,  the  right-hand  side  becomes  zero  while  the  left 
hand  side  becomes  one.  This  leads  us  to  the  following  fact: 

Fact  3.2.  When  Vd  is  fixed,  PG  is  neither  submodular  nor 
supermodular. 

Now  let  us  consider  when  we  fix  the  attacker’s  strategy. 

If  the  payoff  is  submodular  when  the  attacker’s  strategy  is 
fixed,  then  we  have  the  following  for  14  4  14^  and  v  ^  Uj  if 
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the  payoff  subtracted  from  the  number  of  nodes  is  submod- 
ular: 

Pg(K,  Vh  u  {v})  -  paiVa,  V^)  >  pg(K,  14  u  {v})  -  poiVa,  14) 

This  is  equivalent  to  the  following: 

PG{Va  -  (14'  U  {«}), 0)  -  pg(14  - 14, 0)  > 

Pg(14  -  (14  U  {«}),  0)  -  pciVa  -  14, 0) 

Now  let  14'  =  14  -  (14  U  {v})  and  14"  =  14  U  (I4'  -  14). 
Clearly  14"  4  14'  and  v  ^  14".  Now  we  get  the  following: 

pg(14',0)-J5g(14'uM,0)  >  pg(14",0)-pg(14"uM,0) 
pg(14'uM,0)-pg(14',0)  <  pg(14"uM,0)-pg(14",0) 

Hence,  submodualrity  of  the  payoff  function  when  the  at¬ 
tacker’s  strategy  is  fixed  would  give  us  supermodualrity  of 
the  payoff  function  when  the  defender’s  strategy  is  fixed  at 
the  empty  set.  However,  this  clearly  violates  Fact  3.2  and 
gives  rise  to  the  following: 

Fact  3.3.  When  14  is  fixed,  pa  is  neither  submodular 
nor  supermodular. 


4.  ALGORITHMS 

In  this  section,  we  present  heuristic  algorithms  for  finding 
the  deterministic  best  response  of  each  player  as  the  results 
of  the  previous  section  generally  preclude  a  polynomial  time 
algorithm  for  an  exact  solution.  We  first  introduce  a  version 
of  a  “high  load”  strategy  for  the  defender  based  on  the  ideas 
of  [8].  Then  we  introduce  a  greedy  heuristic  for  each  player. 
This  is  followed  by  our  approach  for  finding  mixed  strategies 
based  on  the  double-oracle  algorithm  of  [15]. 


Hi-Load  Node  Approach.  In  [8],  the  authors  study  “high 
load”  nodes:  nodes  through  which  the  greatest  number  of 
shortest  paths  pass.  They  show  that  attacks  on  these  nodes 
tend  to  initiate  cascading  failures  -  suggesting  that  they 
should  be  a  priority  for  defense.  We  formalize  the  definition 
of  nodal  load  in  our  framework  (essentially  an  extended  def¬ 
inition  of  node  betweenness  [25])  by  extending  our  function 
loada  for  nodes  as  follows. 


Definition  4.1  (Nodal  Load).  For  a  given  node,  the 
nodal  load  is  defined  as  the  sum  of  the  fraction  of  shortest 
paths  for  each  pair  that  pass  through  that  node.  Formally: 


loada  (i)  = 


E 


seVsr-a,tev,,i 
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where  (tg(s,  t\i)  is  the  number  of  shortest  paths  between  s,t  G 
V  that  pass  through  node  i. 


Hence,  we  shall  refer  to  the  Deterministic  Load-Based  or 
DLB  strategy  for  the  defender  as  one  in  which  he  determin¬ 
istically  protects  the  kd  nodes  with  the  greatest  load.  We 
note  that  this  is  not  necessarily  a  “best  response”  but  the  in¬ 
tuition  is  that  defense  will  occur  at  nodes  that  are  perceived 
to  be  critical  to  the  adversary.  This  intuition  is  similar  to 
that  of  the  “most  vital  arc”  idea  seen  in  other  failure  model 
games  [2,  21]. 


Greedy  Heuristics  for  Finding  Deterministic  Strate¬ 
gies.  Here  we  present  a  simple  greedy  heuristic  to  find  the 
defender’s  best-response  (GREEDY_DEFENDER_RESP).  The 


analogous  heuristic  for  the  attacker  is  not  shown  due  to  space 
constraints,  but  we  shall  refer  to  it  as 
GREEDY_ATTACKER_RESP.  We  note  that  while  we  do  not 
make  general  approximation  guarantees  (due  to  the  results 
in  Section  3),  we  note  that  by  Proposition  3.3,  that  nodes 
added  in  step  18  will  always  cause  an  increase  in  payoff  to  the 
defender  (and  in  the  analogous  greedy  approach  for  the  at¬ 
tacker,  this  holds  true  as  well).  Further,  by  Proposition  3.2, 
when  fen  =  1,  we  can  be  sure  that  GREEDY_DEFENDER_RESP 
returns  an  exact  solution,  even  when  the  attacker  has  a 
mixed  strategy.  Unfortunately,  by  Theorem  3,  the  same  can¬ 
not  be  said  if  the  greedy  heuristic  is  used  for  the  attacker’s 
best  response. 


Algorithm  1  GREEDY_DEFENDER_RESP 

Require:  Mixed  strategy  Prn,  Natural  number  kd 
Ensure:  Set  of  nodes  Vd 

1:  14  =  0 

2:  Let  ATK  be  the  set  of  strategies  associated  with  Pra 
3:  Set  flag  =  True,  p*  =  —00 
4:  while  |\4I  4  kd  and  flag  and  p*  <  0  do 
5:  P*  =  -EvneATAPr4W)PG(W,14) 

6:  curBest  =  null,  curBestScore  =  0,  haveValid Score  = 

False 

7 :  for  i  G  V  —  Vd  do 

8:  curScore  =  p*  -  T,v„eATK  Pi'd(Ua)PG(14, 14  U  {i}) 

9:  if  curScore  >  curBestScore  then 

10:  curBest  =  i 

11:  curBestScore  =  curScore 

12:  haveValidScore  =  True 

13:  end  if 

14:  end  for 

15:  if  haveValidScore  =  f3\se  then 

16:  flag  =  False 

17:  else 

18:  14  =  14  U  {curBest} 

19:  end  if 

20:  end  while 
21:  return  Vd- 


Finding  Mixed  Strategies.  If  the  attacker  uses  a  mixed 
strategy  that  consists  of  uniformly  attacking  elements  of 
[S  C  Vid  :  ]S]  =  ka}  then  the  best  any  pure  defender  strat¬ 
egy  can  do  is  defending  14  C  Vu-  The  attacker’s  strategy  im¬ 
plies  that  any  node  in  Vm  is  attacked  with  probability  . 
Each  of  the  \Vid\  —  ka  remaining  nodes  in  Vu  is  then  discon¬ 
nected  with  probability  i.e.,  x  >  fea(l  —  Clearly 

due  to  the  cascading  the  value  of  the  game  will  probably 
be  higher,  illustrating  the  disadvantage  the  defender  has  in 
this  game.  To  determine  both  player’s  optimal  strategies 
and  the  value  of  the  game  we  resort  to  an  algorithmic  ap¬ 
proach.  We  find  the  defender’s  optimal  strategy  with  the 
following  linear  program.  We  can  find  minimax  strategy  for 
the  defender  with  the  following  linear  program.  It  simply 
assigns  a  probability  to  each  of  the  defenders  strategies  in  a 
manner  that  minimizes  the  maximum  payoff  for  the  adver¬ 
sary.  As  a  consequence,  the  solution  to  the  following  linear 
program,  DEF_LP  can  provide  the  mixed  minimax  strategy 
for  the  defender.  An  analogous  linear  program,  ATK_LP  (not 
shown),  which  mirrors  DEF_LP,  will  provide  that  result  for 
the  attacker. 
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Definition  4.2  (DEF_LP). 


min  p* 

(1) 

subj.to  p*  >  Ylvd&DEF  ^VdPG(^a,Vd) 

VVa  e  ATK 

(2) 

1  =  ^VdGDEF  ^Vd 

(3) 

Xvd  e  ]o,  1] 

VVd  e  DEF 

(4) 

Note  that  the  above  linear  program  requires  one  variable 
for  each  of  the  defender’s  strategies  and  one  constraint  for 
each  of  the  attacker’s  strategies.  However,  as  there  are  a 
combinatorial  number  of  strategies,  even  writing  down  such 
a  linear  program  is  not  practical  except  for  very  small  prob¬ 
lem  instances.  To  address  this  issue  of  intractability,  we 
employ  the  double-oracle  framework  for  zero-sum  games  in¬ 
troduced  in  [15]  and  has  been  applied  in  more  recent  work 
as  well  [5,  12].  We  present  the  algorithm  DOUBLE_ORACLE 
as  follows: 


Algorithm  2  DOUBLE_ORACLE 

Require:  Network  G  =  {V,E),  natural  number  maxiters 
Ensure:  Mixed  defender  strategy  Fr^ 

1:  Initialize  numiters  =  0,  flag  =  True 

2:  Initialize  the  sets  of  strategies  ATK,  DEF  to  both  be  {0} 

3:  while  flag  and  numiters  <  maxiters  do 

4:  Create  Pra,Pr,i  based  on  the  solutions  to  ATK_LP  and 

DEF_LP  respectively. 

5:  IF  numiters  <  maxiters  THEN  let  Va  be  the  attacker’s 

best  response  to  Pr^j  and  Vd  be  the  defender’s  best  re¬ 
sponse  to  Pra 

6:  IF  Va  e  ATK  and  Vd  S  DEF  THEN  flag  =  False  ELSE 

ATK  =  ATK  U  {14},  DEE  =  DEF  U  {14} 

7:  numlters+  =  1 

8:  end  while 

9:  return  Pr^. 


The  intuition  behind  the  above  algorithm  is  that  it  itera¬ 
tively  creates  mixed  strategies  for  both  the  attacker  and  de¬ 
fender  based  on  a  solution  to  a  linear  program  over  the  sets 
of  current  possible  strategies  for  both  players  [ATK,  DEF). 
This  is  followed  by  finding  (for  each  player)  the  best  deter¬ 
ministic  response  to  it’s  opponent’s  strategy.  If  these  new 
strategies  are  both  already  in  the  set  of  possible  strategies 
for  the  respective  players,  the  algorithm  terminates.  Other¬ 
wise,  they  are  added  to  AT K,  DEF  respectively.  We  note 
that  by  Theorem  1  of  ]15]  that  the  above  algorithm  will  guar¬ 
antee  an  exact  solution  if  maxiters  is  set  to  the  number  of 
possible  strategies.  In  practice,  ]15]  demonstrates  that  the 
algorithm  converges  much  faster. 

In  DOUBLE_ORACLE,  the  Hnding  the  solutions  to  DEF_LP, 
ATK_LP  will  be  tractable  provided  that  the  algorithm  con¬ 
verges  in  a  polynomial  number  of  steps  (either  through  con¬ 
vergence  or  after  the  specihed  maxiters).  However,  as  we 
have  shown,  computing  the  best  responses  is  usually  com¬ 
putationally  difficult.  Although,  we  note  in  the  case  where 
fca  =  1,  that  by  Proposition  3.2  and  Fact  3.1,  the  double  ora¬ 
cle  algorithm  will  return  an  optimal  solution,  even  if  greedy 
approximations  are  used  for  the  oracles  (provided  it  runs 
until  convergence). 

5.  EXPERIMENTAL  EVALUATION 

All  experiments  were  run  on  a  computer  equipped  with 
an  Intel  X5677  Xeon  Processor  operating  at  3.46  GHz  with 
a  12  MB  Cache  and  288  GB  of  physical  memory.  The  ma¬ 
chine  was  running  Red  Hat  Enterprise  Linux  version  6.1. 


Nodal  Load  Capacity  Margin 


Figure  1:  Left:  Nodal  load  vs.  payoff  (note  hi-payoff, 
low- load  nodes  in  the  dashed  box),  Right:  Capacity 
margin  (a)  vs.  payoff 

Only  one  core  was  used  for  experiments.  All  algorithms 
were  coded  using  Python  2.7  and  leveraged  the  NetworkX 
library^  as  well  as  the  PuLP  library  for  linear  programming^ . 
All  statistics  presented  in  this  section  were  calculated  using 
the  R  statistics  software. 

In  our  experiments,  we  utilized  a  dataset  of  an  Italian  380 
kV  power  transmission  grid  ]20].  This  power  grid  network 
consisted  of  310  nodes  of  which  113  were  source,  96  were 
load,  and  the  remainder  were  transmission  nodes.  The  nodes 
were  connected  with  361  edges  representing  the  power  lines. 

In  our  initial  experiments,  we  examined  the  properties 
of  the  model  when  no  defense  is  employed.  In  Figure  1 
(left)  we  show  results  concerning  nodal  load  vs.  the  payoff 
achieved  by  the  adversary  if  that  node  is  attacked  (and  no 
others).  Interestingly,  we  noticed  a  significant  number  of 
nodes  with  low  nodal  load  yet  high-payoff  if  attacked  (see 
nodes  in  dashed  box).  This  may  suggest  that  the  DLB  strat¬ 
egy  may  be  insufficient  in  some  cases.  Later  we  see  how  DLB 
fails  to  provide  adequate  in  a  defense  against  the  attacker 
best  response  to  DLB.  This  is  likely  due  to  these  hi-payoff, 
low-load  nodes.  In  Figure  1  (right)  we  examine  a  (capacity 
margin)  vs.  attacker  payoff  for  various  settings  of  ka  (using 
the  GREEDY_ATTACKER_RESP  heuristic).  Here  we  found 
that,  in  general,  payoff  decreases  linearly  with  capacity  mar¬ 
gin  (R^  >  0.84  for  each  trial). 

Next,  we  examined  the  relative  performance  of  the  min¬ 
imax  (mixed)  defense  strategy  and  the  DLB  strategy  un¬ 
der  different  resource  constraints  and  against  the  minimax 
(mixed)  attack  strategy  as  well  as  the  attacker’s  (determin¬ 
istic)  greedy  response  to  the  DLB  defense.  In  these  experi¬ 
ments,  we  considered  the  case  where  both  players  have  equal 
resources,  the  attacker  has  one  resource  (which  by  Propo¬ 
sition  3.2  and  Fact  3.1  we  are  guaranteed  an  optimal  solu¬ 
tion),  and  the  defender  has  one  resource.  These  results  are 
displayed  in  Figure  2.  In  these  trials  we  set  the  capacity 
margin  a  =  0.5,  meaning  that  all  edges  had  an  excess  ca¬ 
pacity  of  50%.  We  did  not  use  the  maxiters  parameter  of 
the  DOUBLE_ORACLE  algorithm,  but  instead  allowed  it  to 
run  until  convergence. 

With  regard  to  the  comparison  between  DLB  and  mini¬ 
max  defense,  both  performed  comparably  against  the  mini¬ 
max  attack  strategy.  In  fact,  an  analysis  of  variance  (AN OVA) 
indicated  little  variance  between  the  two  when  faced  with  the 
minimax  attacker  (p  >  0.74  for  these  trials).  Yet,  a  defender 
known  to  be  playing  a  single  strategy  would  likely  not  face 
an  attacker  who  plays  the  minimax  strategy,  but  rather  the 

^http:/ /networkx.lanl.gov/ 

^http://pythonhosted.org/PuLP/ 
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Minimax  Attack  Strategy 


Greedy  Attacker  Response  to  DLB 


eMinimax 

Defense 


OLB  Defense  o  i 


Resources 


6Minimax 

Defense 


DLB  Defense 


@Minimax 
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DLB  Defense  ^  i 


Figure  2:  Minimax  and  DLB  defense  strategies  vs. 
minimax  attack  strategy  (left)  and  the  attacker’s 
greedy  best  response  to  DLB  (right).  Examined  are 
the  cases  where  ka  =  kd  (top),  ka  =  1,  kd  varies  (mid¬ 
dle)  and  kd  =  1,  ka  varies  (bottom). 


best  response  to  the  DLB.  In  this  case,  DLB  play  resulted 
in  significantly  greater  payoff  to  the  attacker  than  the  de¬ 
fender  {p  <  0.29  for  these  trials,  the  DLB  defense  resnlts  in 
15.6  more  disconnected  nodes  on  average).  This  failnre  of 
the  DLB  strategy  to  perform  well  against  a  deterministic  at¬ 
tacker  best  response  is  likely  due  to  the  presence  of  low-load 
yet  high-payoff  nodes  as  shown  in  Figure  1. 

We  also  noticed  that  an  increase  in  resources  seems  to  fa¬ 
vor  the  attacker  more  than  the  defender.  When  both  play¬ 
ers  played  their  respective  minimax  strategy,  the  expected 
payoff  for  the  attacker  increased  monotonically  with  the  car¬ 
dinality  of  the  strategies.  Further,  when  kd  =  1  and  ka  was 
greater,  the  attacker’s  payoff  tripled  when  his  resources  in¬ 
creased  from  1  to  6.  However,  when  fca  =  1  and  kd  was 
greater,  the  defender’s  payoff  only  increased  by  a  factor  of 
1.7.  Hence,  the  attacker  can  cause  more  damage  than  the 
defender  can  mitigate  with  the  same  amount  of  extra  re¬ 
sources.  We  suspect  that  this  is  likely  because  a  defended 
node  can  still  fail  during  a  cascade  -  which  would  likely  be 
the  case  if  the  attack  and  defense  operations  are  restricted  to 
cyber-space,  where  physical  system  failure  may  still  be  pos¬ 
sible  as  the  result  of  a  cascade  initiated  by  virtual  means. 

We  also  examined  the  run-time  of  our  approach,  as  dis¬ 
played  in  Figure  3  (left).  Though  run-time  did  seem  to  scale 
linearly  with  strategy  size  {R^  =  0.90  ±  0.2  for  each  experi¬ 
ment),  it  appears  that  run-time  will  in  general  prohibit  the 
study  of  larger  strategies  or  networks  (our  longest  experi¬ 
ment  ran  for  12  days).  In  examining  the  iterations  of  the 
DOUBLE_ORACLE  algorithm.  Figure  3  (left),  we  find  that 
run-time  of  an  iteration  of  the  algorithm  progressively  in¬ 
creases  (note  that  this  figure  is  showing  the  run-time  for 


max(kg,kj 


--Equal  resources 


■  Advantageous 
defender 


Advantageous 

Attacker 


Iteration  Number 


Figure  3:  Strategy  size  vs.  run-time  in  hours  (left) 
and  the  run-time  of  each  iteration  for  the  experi¬ 
ments  where  ka  =  kd 


each  iteration,  not  a  cumulative  time).  This  increase  is 
likely  the  combined  result  of  the  growing  linear  program 
and  the  growing  size  of  the  mixed  strategies  considered  by 
the  greedy  approximation  sub-routines.  We  are  currently 
exploring  reliable  methods  to  limit  the  number  of  iterations 
while  maintaining  defender  payoff. 

6.  RELATED  WORK 

Network  security  has  received  much  attention  from  the 
research  community  in  the  past  two  decades.  Recent  inci¬ 
dents  have  shown  that  due  to  their  internet  connectedness 
such  networks  can  come  under  cyber  attack,  causing  severe 
problems’^.  See  [26]  for  a  discussion  of  cyber-security  issues 
relevant  to  smart  grid  grids. 

The  utilization  of  game  theory  in  designing  defense  so¬ 
lutions  seems  ubiquitous.  For  instance  [13]  model  the  in¬ 
teraction  between  a  DDoS  attacker  and  the  network  ad¬ 
ministrator  while  [14]  considers  a  game  theoretic  formula¬ 
tion  for  intrusion  detection.  Other  formulations  consist  in¬ 
clude  stochastic  games  [17],  signaling  games  [19],  allocation 
games  [4]  and  repeated  games  [3].  Game  theory  is  also  be¬ 
ing  used  in  monitoring  and  decision  making  in  smart  grids, 
see  for  instance  [9]  or  the  survey  by  Fadlullah  et  al.  [10]. 
However  to  date  no  game  theoretic  approach  has  been  given 
for  the  specific  problem  where  the  attacker  explicitly  sets  of 
a  cascading  power  failure  to  maximize  the  damage  to  the 
defender. 

Cascading  failure  models  applied  to  power  grid  infrastruc¬ 
ture  have  been  studied  in  the  past  [7,  8,  16].  The  model  of 
[8]  introduces  the  idea  of  edge  failure  based  on  excessive 
loads.  The  goal  of  the  research  presented  in  these  papers 
was  to  illustrate  properties  of  the  cascade,  rather  than  ex¬ 
plore  strategies  for  attack  and  defense  as  this  work  does. 
There  has  been  work  on  attack  and  defense  of  a  power-grid 
network  under  the  DC  power-flow  mode  [2,  21,  20,  6].  How¬ 
ever,  the  DC  power  flow  model  is  not  designed  to  model  the 
more  rapid  cascading  failures  (i.e.  the  2003  cascading  failure 
in  the  eastern  United  States  [1]). 

The  application  of  game  theory  to  security  situations  was 
made  popular  by  [18]  where  it  used  for  airport  security  pa¬ 
trol  scheduling.  Since  then,  other  applications  have  emerged 
including  port  protection  [23],  finding  weapons  caches  [22], 
and  security  checkpoint  placement  [12] .  One  that  bears  sim¬ 
ilarity  to  this  work  is  [24]  -  studying  games  for  controlling 
contagions  on  a  network.  However,  as  previously  discussed, 
that  model  operates  under  very  different  dynamics. 

■^http:  / /www.  wired.com  /  threatlevel  / 2009 /  10/smart  grid  / 
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7.  CONCLUSION 

In  this  paper,  we  explored  complexity,  algorithmic,  and 
implementation  issues  in  a  two-player  security  game  where 
the  attacker/defender  look  to  create/mitigate  cascading  fail¬ 
ure  on  a  power  grid.  Future  work  includes  an  examination 
of  scalability  issues  (larger  networks  and  strategies),  adding 
uncertainty  to  the  model,  and  the  consideration  of  more  real- 
world  information  about  the  power  grid  network  (i.e.  actual 
line  capacities,  etc.)  in  order  to  create  a  richer  model. 
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